Topics

Teleport 2.6 Released

May 31, 2018
by
Ev Kontsevoy

Today we are releasing a major new version of Teleport, version 2.6, that brings several new features requested by Teleport administrators, both in cloud-native environments and those with more traditional data center fleets.

Before we dive into the details, let’s introduce Teleport to the new readers of
this blog.

Teleport is open sourced and fully compatible with OpenSSH clients and servers
and can be used just as a bastion, issuing SSH certificates and providing
connectivity to legacy clusters located behind firewalls.

What’s new in 2.6?

As usual, the full list of changes can be found on Github
but here are the major new features:

In addition, the source code of this release has also gone through a security audit performed by Cure53.
This audit report will be published publicly by Cure53 in the near future.

DynamoDB and S3

AWS users of Teleport can now store their cluster state in
AWS-provided storage back-ends. This release allows
AWS users to use DynamoDB and S3 to store audit information instead of using local disks (or EBS volumes).

This brings several advantages:

S3 buckets have much more flexible RBAC, which allows for policies
like “write-only”.

DynamoDB offers much more robust search capabilities than JSON files on a
local disk. Obviously, it scales better, as well, for large clusters with
significant audit event traffic.

Deploying highly available (HA) Teleport clusters is now much easier because
all nodes are nearly stateless.

Certificate Authority Rotation

Teleport is quite opinionated about SSH authentication and it only uses SSH
certificates, not keys. This important design decision makes the entire “SSH
key management” habit obsolete, because users’ certificates are rotated daily
(or even hourly).

However, Teleport has historically used the same long-lived certificates for host
authentication. We have never been comfortable with this compromise, so in
this release we have finally added the ability to rotate all certificates within
a cluster by rotating the certificate authority (CA) for both users and hosts.

To trigger CA rotation:

# execute this on a Teleport auth server to rotate both CAs, for users and hosts:
$ tctl auth rotate

This operation will start the rotation procedure and after a few hours all
previously issued certificates will be invalid. The rotate operation was
designed to be safe and to be used frequently. It uses the principle of a “grace
period” (24 hours by default) during which both sets of certificates, old
and new, are accepted. This gives the ability for users and hosts to
re-authenticate with the cluster and receive new certificates (hosts will do
this automatically).

PAM Integration

This release of Teleport allows administrators to define a PAM profile to be used
for SSH sessions initiated by the teleport daemon. This capability is not enabled
by default, but can be turned on by modifying the Teleport configuration file,
usually /etc/teleport.yaml:

Upgrading

AWS Marketplace Listing

We are happy to report that, due to popular demand, we are submitting this
release to be listed in the AWS marketplace. This will allow AWS users to quickly
instantiate properly deployed and configured Teleport clusters into their AWS
accounts using the AWS web interface.

Thanks to our community contributors and testers who helped us make 2.6 a reality!

Talk to us!

For more information about Teleport, you can take a look at the
documentation or the
overview. It is open sourced, so
feel free to dig in - issues and/or pull requests are welcome. Also, feel free to
reach out via email if you have additional questions: [email protected].